First reported by AnalogHype and Eurogamer, the news comes from an Xbox Live user named Jason Coutee who also recently had his account broken into and had 8000 MS points purchased fraudulently. After contacting Microsoft support, he declined the offer to have his account locked for 30 days so that the intrusion could be investigated. Coutee is employed as a network infrastructure manager and instead decided to conduct his own investigation into the possible cause.

What Coutee discovered was a rather severe flaw in the Xbox.com website login system. For hackers, it’s not difficult to compile a large list of email addresses potentially connected to an Xbox Live gamer tag, and based on the way the site handles errors for nonexistent accounts versus real accounts with incorrect passwords, those can be easily sorted for further scrutiny. But the big problem is the site’s security measures intended to kick in after eight failed password attempts -- invoking a CAPTCHA -- can be easily circumvented. The whole process can be simply automated by a hacker, which allows him effectively infinite login attempts to to any Live account.

This allows for what are called "brute force" hacks. Essentially, if there is nothing to stop a hacker from trying to log in to a single account as many times as he wants, he can create a script to run through a list of common, stolen, or randomly generated passwords until he finds one that works. Given enough time, hitting the right password for some accounts is inevitable. For this reason, most sites and services will lock an account after a handful of failed attempts. Many also analyze access patterns for such requests in real time to detect and block possibly malicious activity. Unfortunately for hacking victims, Microsoft failed on both accounts.

Now, some will tell you that remotely brute forcing any password that is not a short dictionary word is not feasible, but that belies an antiquated understanding of password security. In order to maximize the possibility of success, hackers have many sophisticated and powerful tools at their disposal. Low-latency, fiber Internet connections, botnets, GPU-accelerated password-cracking software, databases of known passwords from other hacks, and a little human psychology take the hackers a lot further than most suspect. They do not have to test every single possible combination for an eight character alphanumeric password. They can look at the kind of passwords people actually construct and generate a list accordingly.

For a long time, we’ve been told to combine letters and numbers and avoid words to create something secure. Back in 2002, a password like "ronco123" seemed really secure, but computational increases and hacker sophistication have progressed exponentially in the last decade. Now that password is fairly weak. Not as weak as "password" or "1234," but far below current security standards. Furthermore, "ronco123" is constructed in a very obvious manner. The vast majority of people who think they are using good security practices will have a password that looks very similar -- if only because it feels natural to put the letters on the left and the numbers on the right. Frequently, the numbers will just be padding, and thus, a lot of 123s or 11s are appended to a word or acronym. Otherwise, you’d expect lots of dates in two or four digits, and given the expected age of your target, you could narrow that further to 01 thorugh 12, 60 thorugh 99, and 1960 thorugh 2012 frequently paired with names of cities, places, or events.

Additionally, there is no reason for a hacker to limit themselves to brute forcing a single account at a time. Let’s assume at a base level that you can’t check more than 100 passwords on a single account per second (although, that is incredibly conservative -- in truth, it's probably 10 times that rate). Unless the password in use is exceptionally poor, cracking will still take some time to succeed. The solution is to scale up the scope of the attack by brute forcing many accounts at the same time. Since it can all be automated, there is no reason not to be testing hundreds if not thousands of accounts at the same time for 24 hours a day. Every time a successful password is discovered, it is recorded in a text file for late exploitation. For the hacker, the result is a constant stream of vulnerable accounts that could each pay out hundreds of dollars.

In an official statement given to 1UP when the site reported on the flaw, Microsoft disputed that article’s characterization of this as a "loophole" in their security. According to a Microsoft rep, "The hacking technique outlined is an example of brute-force attacks and is an industry-wide issue." This is true: brute forcing is a known technique, but most organizations have working security measures to prevent it from being an effective attack vector. Microsoft also goes on to reiterate its earlier statements that the service itself has not been hacked, another technical truth. In both cases, Microsoft is playing a semantic game to obfuscate the truth while tacitly acknowledging the critical flaw in their authorization system did exist.

According to a follow up report from Jason Coutee, shortly after the news of this flaw broke, Microsoft implemented a silent fix on the back end of Xbox.com. Hopefully, their solution will be effective in blocking a majority of future attempts to hijack accounts, but their negligence and evasiveness over the FIFA hacks to date are not encouraging. Unless the executives at Microsoft decide to completely change course and come clean with concrete details about what has been going on -- something they were eventually forced to do previously with the hardware flaws that led to the Red Ring of Death -- we may never have a clear picture of the full extent of the problem.